Fun%20With%20Thread%20Local%20Storage%20(part%203) - PowerPoint PPT Presentation

About This Presentation
Title:

Fun%20With%20Thread%20Local%20Storage%20(part%203)

Description:

of which there is only one, but it looks peculiar. It's not a virtual address. 8 ... Now we are looking at a new way to achieve that. ... – PowerPoint PPT presentation

Number of Views:135
Avg rating:3.0/5.0
Slides: 19
Provided by: pferrie
Category:
Tags: 20local | 20storage | 20thread | 20with | fun | part | run | up

less

Transcript and Presenter's Notes

Title: Fun%20With%20Thread%20Local%20Storage%20(part%203)


1
Fun With Thread Local Storage (part 3)
  • Peter Ferrie
  • Senior Anti-virus Researcher
  • 2 July, 2008

1
2
You Can Call Me Al
  • Thread Local Storage callbacks were discovered in
    2000.
  • However, widespread use didnt occur until 2004.
  • Now, it should be the first place to look for
    code,
  • since it runs before the main entrypoint.
  • And that can make all the difference

2
Peter Ferrie, Microsoft Corporation
3
Empty!
Entry Point
3
Peter Ferrie, Microsoft Corporation
4
Empty!
C3 RET
4
Peter Ferrie, Microsoft Corporation
5
Empty!
  • So the main file does nothing.
  • If we assume that the structure is normal,
  • then we could check the thread local storage
    table.
  • Just in case.

5
Peter Ferrie, Microsoft Corporation
6
Empty!
TLS is present
(size doesnt matter)
6
Peter Ferrie, Microsoft Corporation
7
Empty!
Callback pointer
Callback array
7
Peter Ferrie, Microsoft Corporation
8
Empty!
  • So the search moves to the callbacks,
  • of which there is only one, but it looks
    peculiar.
  • Its not a virtual address.

8
Peter Ferrie, Microsoft Corporation
9
The One and Only
9
Peter Ferrie, Microsoft Corporation
10
Imported TLS callbacks
  • We know that the TLS callback array can be
    altered at runtime.
  • We know that the TLS callbacks can point outside
    of the image.
  • Now we are looking at a new way to achieve that.
  • Imports are resolved before TLS callbacks are
    called.
  • So TLS callbacks can be imported addresses!
  • Lets check the import table.

10
Peter Ferrie, Microsoft Corporation
11
The Search Goes On
TLS3.DLL
11
Peter Ferrie, Microsoft Corporation
12
The Search Goes On
a
12
Peter Ferrie, Microsoft Corporation
13
The Search Goes On
  • So the search moves to TLS3.DLL,
  • and the mysterious function called a.

13
Peter Ferrie, Microsoft Corporation
14
A function
14
Peter Ferrie, Microsoft Corporation
15
The Aha Moment
  • So thats how its done.
  • If we let it run

15
Peter Ferrie, Microsoft Corporation
16
Surprise!
16
Peter Ferrie, Microsoft Corporation
17
Not OK
  • The code runs.

17
Peter Ferrie, Microsoft Corporation
18
Really Not OK
  • Just a little something to add to the workload.

18
Peter Ferrie, Microsoft Corporation
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Fun%20With%20Thread%20Local%20Storage%20(part%203)" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!